Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IOS Security Apple

Apple Adds 'BlastDoor' To Secure iOS From Zero-Click Attacks (securityweek.com) 17

wiredmikey shares a report from SecurityWeek.com: Apple has quietly added several anti-exploit mitigations into iOS in what appears to be a specific response to zero-click iMessage attacks observed in the wild. The new mitigations were discovered by Samuel Grob, a Google Project Zero security researcher, [with the first big addition being] a new, tightly sandboxed "BlastDoor" service that is now responsible for the parsing of untrusted data in iMessages.

With iOS 14, Grob discovered that Apple shipped a significant refactoring of iMessage processing, and made all four parts of an attack much harder to succeed. Apple added logic into iOS 14 to specifically detect [shared cache region] attacks and new techniques to limit an attacker's ability to retry exploits or brute force Address Space Layout Randomization (ASLR).
"Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole," the Google researcher added.
This discussion has been archived. No new comments can be posted.

Apple Adds 'BlastDoor' To Secure iOS From Zero-Click Attacks

Comments Filter:
  • F that. Just put a limit on the character set and don't automatically parse anything other than substituting emojis. Is that fricking hard?

    • You can send binary objects (files, stickers, etc) through iMessage. So... yeah, kinda is... I would throw it into BASE64 with a type tag surrounding the BLOB. Yes, yes yes, it will take up much more space. But really, our networks and devices are getting to the point where they can handle attachments much like email can....
  • If they knew the difference between CODE and DATA then there would have been no problem whatsoever. Clearly they have been following along in the Microsoft tradition of EXECUTING DATA -- a course of action which has always, without fail, led to disastrous consequences.

    Yet another example of the little kiddies being hoisted by their own petards.

  • by antdude ( 79039 ) on Friday January 29, 2021 @12:21AM (#61004638) Homepage Journal

    Did iOS v12.5.1 fix it?

  • My Nexus6 hasn't seen an official OS update in years. It still does everything I need it to do.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...